Call to arms

There’s been a quiet notice that some addons have been contaminated with addons. Which? Well, for certain there was one called Titan Panel 3.0.6 new. The contaminated origin point? ui.worldofwarcraft.net. The origin of the contamination? A program called Stats Sniffer. So if you went there, do yourself a favor and clean your computer. Why?

I’m not at the call to arms yet, I’m setting background. And that needs you to go read the answer to Why – over at Breana’s site. go. It’s important. Then come back.

As I told Breana in the comments, I’m writing an email. And a letter – smail in the envelope letter. Basically, I’m copying the main part of the story and telling Blizzard this is unacceptable. That I want it fixed. That if this is the ‘service’ I can receive when an account is being looted, I have lots of fun things to do that occupy my time – I’ll miss WoW, but not enough to risk THAT.

And I’ve added a suggestion – a simple one, one which is easily implemented but difficult to bypass. Again, the same as I posted in the comments. Blizzard, set up an auto-respond system with a complex login code – the same one various email and other sites use – with a SIMPLE instruction. If an account changes email, the account is frozen until the account holder responds to (and releases) the announcement of the change.

CALL TO ARMS: I ask you to add your voice. Don’t sign a petition, don’t stop at agreeing with me that this is bad and we should make Blizzard fix it. Act. Write an email. Write a letter. Ask in the official forums. Dear God, this is an easy problem to fix – FIX IT.

Like this:

Related

14 Responses to “Call to arms”

I think your kill switch idea is excellent, and I am surprised they don’t already use it, since they have half of it already in place (the email that tells you have changed it).

The nightmare continued today. When Shia got his account back but then had to wait on-line for over two hours until a GM finally came on to say, “Well, we are going to investigate it. See ya.”

I am going to post a comment on the Blizz Forums, tomorrow morning. Maybe, someone else won’t have to go through this. I have known other people who’s accounts have been hacked, but never have I ever watch it happen in front of me, and feel so damn useless. It is horrible and humiliating.

If you do send a letter, would you please let me where? I could send it to billing and accounts, but will that actually be read by someone, or just tossed to the compliant bin?

In the meantime, I recommend that you practice due diligence and not download any addons that contain binaries. An addon which contains only pure LUA code cannot steal your account. LUA code can only do what Blizzard explictly allows it to do, and getting account details is not one of those things. The LUA code isn’t even running at the login screen.

You got your facts wrong. Listservs and other email-using software do not lock your account if your email address changes. They simply continue to use the old email address until the owner of the new email address confirms that he wants the address change to happen. This is a countermeasure to avoid spam, not to safeguard your account. If the attacker can change your email address, your account has already been compromised. There’s no point in crying over spilled milk at that point.

Also, your proposed solution has several issues that need to be addressed before it’s even usable. First of all, changing the email address is no requirement for an account compromise. If I have your account name and password, I can just log in, vendor/disenchant every soulbound item and send everything to an another account. That takes 5 minutes tops. I don’t need to change the email address. I don’t need to change the password. I don’t need to change the password hints. I don’t need to change the billing information. I don’t need to change anything to do that. Furthermore, I think that an overwhelming percentage of email address changes are completely legitimate. Automatically locking an account when the email address changes is thus annoying at best.

A hotline would be a better solution, but not without tradeoffs. The most obvious one is that the hotline could also serve as a denial-of-service tool for the attacker. If you have an important event or a raid coming up, the attacker can just use social engineering, impersonate you and claim that your account has been compromised. This would lock your account and you’d have to wait for Blizzard to sort it out. Credit card companies can do this, because getting your card temporarily locked out is several orders of magnitude less of an hassle than having all of your money stolen. That is not the case with WoW accounts.

First – imprecise, not wrong. Before a change is made, a confirmation is received. However, there are some sites I’ve administered where the confirmation of change of PASSWORD is contingent on a confirmation.

Part of your confusion is that you’re consistently saying email when what was changed was PASSWORD. Based on both my experience and industry reports, passwords are NOT commonly changed. Locking the account until a confirming response from the original email account that the password was changed by THAT person is an easy solution. Note, of course, that it’s not a perfect solution. For example, there’s nothing preventing the thief from just using the original password — except, of course, that with THAT in hand the player can stop the thief much sooner. (Parental control lockouts – which require ANOTHER password – being one example.) And just changing it when done, with the attendant lockups.

Now I agree that due diligence should be practiced. You should examine your download before installing to ensure it doesn’t contain a .bat, .exe, or .com file. That said, one of the reasons (besides the single source shopping) the download sites are so popular is because they claim to have vetted their product.

Allow me to interject here – I singled out warcraft.net above, but it turns out they may not have been the only one to have picked up the contaminated package. Any sites which have allowed this through after claiming to have checked them (and not all do) are facing potential backlash that will not be pretty.

As to your hotline… yes. I’ll agree that too is an excellent idea. Submit and request. But “best”? I will tell you what would have been the “best”, what would have kept the heat a LOT less.

When a trouble ticket submitted under “compromised account” (and that is a standard header line choice, autogenerated, in trouble tickets) arrives, it gets bumped to the head of the queue. It’s one of possibly half a dozen issues out of the nearly 100 choices which need timely intervention (if possible).

Breana, regardless of where you send it I cannot promise it won’t be round-filed — I do not work there, I do not handle the mail or pull puppet strings. (If I did, don’t you think priests would be a teensy bit OP’d? – grin).

I SUSPECT that regardless where you send it, it’ll wind up in the right hands. Businesses that ignore customer complaints go out of business. Even if they decide they can’t or won’t do anything about the issue, they want to have made the decision consciously instead of seeing people leave and not having a clue.

This EXACT thing happened to one of our guild officers over the weekend, except that it happened late at night and nobody was around to notice. They left everything but his pvp gear because that’s not vendorable. They also tapped into the guild bank since he was an officer. Nothing so sad as seeing a hunter in full PVP gear missing a gun (because they took his).

We’re still waiting word, and it’s been four days.

The kill switch is a good idea but I agree that I think passwords should not be allowed to change without confirmation via email. That would take an extra step but ensures that this sort of thing won’t happen.

The thing is, if your house is robbed, you can call the police and file a report. Here, you can do nothing. Part of the problem is the feeling of helplessness.

The situation is MUCH worse when a guild bank is involved, because then the burglary affects everyone in the guild.

One final comment: You really need to post something about this to the places that have some real influence, like Metafilter and Slashdot. This is a real-life example of how identity theft can wreak havoc in a game, but the biggest issue is that Blizzard is not treating this like a real crime. I WOULD LIKE TO SEE THESE PEOPLE PROSECUTED AND CHARGED WITH REAL CRIMES because even though they are pixels, they still steal things that do not belong to them.

Just adding my voice here, as well as elsewhere. In the past few months, I’ve learned the WoW blogging community is strong, vibrant, committed–and respected. If we can organize even a small, but very vocal, part of the WoW community to implore Blizzard to correct this untenable situation, then we need to work to that end.

While the “real-world” implications of an account theft may be minimal, in the case Breana relates, it certainly impacted the in-game experience of a large number of people in an extremely negative manner. Blizzard neither wants nor needs that kind of negative feeling. But unless they are made aware that the community considers this to be a major problem, they may not treat it as such.

About…

I've experience with many priests of many races and specs on several servers. The more I play, the more I realize how much I do not yet know. This is a share of some of what I have learned.
My main these days is Zingiber on the Undermine server.